From 3f2b58d6e15ff95857cca1ac9c0f42d17e68a734 Mon Sep 17 00:00:00 2001
From: frosch <frosch@openttd.org>
Date: Mon, 7 Apr 2025 19:30:36 +0200
Subject: [PATCH] Fix: Validate raw strings from game-scripts, and strip
 invalid and control characters. (#13976)

---
 src/script/api/script_text.cpp | 3 ++-
 src/strings.cpp                | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/script/api/script_text.cpp b/src/script/api/script_text.cpp
index 6f167f2ccd..acfbd20861 100644
--- a/src/script/api/script_text.cpp
+++ b/src/script/api/script_text.cpp
@@ -201,9 +201,10 @@ void ScriptText::ParamCheck::Encode(std::back_insert_iterator<std::string> &outp
 	struct visitor {
 		std::back_insert_iterator<std::string> &output;
 
-		void operator()(const std::string &value)
+		void operator()(std::string value)
 		{
 			Utf8Encode(this->output, SCC_ENCODED_STRING);
+			StrMakeValidInPlace(value, SVS_REPLACE_WITH_QUESTION_MARK | SVS_ALLOW_NEWLINE | SVS_REPLACE_TAB_CR_NL_WITH_SPACE);
 			fmt::format_to(this->output, "{}", value);
 		}
 
diff --git a/src/strings.cpp b/src/strings.cpp
index f3cfd3081b..2ceaa0e1ec 100644
--- a/src/strings.cpp
+++ b/src/strings.cpp
@@ -126,7 +126,7 @@ EncodedString GetEncodedStringWithArgs(StringID str, std::span<const StringParam
 				char32_t c;
 				const char *p = value.data();
 				if (Utf8Decode(&c, p)) {
-					assert(c != SCC_ENCODED && c != SCC_ENCODED_INTERNAL);
+					assert(c != SCC_ENCODED && c != SCC_ENCODED_INTERNAL && c != SCC_RECORD_SEPARATOR);
 				}
 			}
 #endif /* WITH_ASSERT */